The UK Government has announced a new data protection bill that is designed replace the forthcoming EU GDPR. The bill is essentially an update to the existing Data Protection Act (DPA), that was introduced in 1998.
Why has the Government decided to make these changes?
As of the 25th of May, 2018, the EU General Data Protection Regulation (GDPR) will come into effect, which sets out to “harmonize data privacy laws across Europe”. Unless you’ve been living on the moon, you are probably aware that Britain is scheduled to leave the EU, and in order to ensure that businesses are able to freely transfer data back and forth after we leave, our current laws must be updated to match the GDPR.
The DPA, GDPR and Brexit
GDPR will come into effect whilst the UK is still a member of the EU as, although article 50 has been triggered, it will take a minimum of 2 years to complete the leaving process. This means it will automatically apply to the UK until this time. The difficulty comes once Brexit has been completed, as it’s unsure whether the UK will continue to abide by the GDPR or produce its own legislation. The new Data Protection Bill has been designed to mirror the GDPR in numerous ways to ensure that the UK has up to date legislation in place regardless of what happens with Brexit. This is essential if the UK and the EU are to continue exchanging data with one another.
What will change under the new DPA?
Right to be forgotten
The “right to be forgotten” gives data subjects more control over how their personal data is removed. There is, however, a slight difference between the new UK law and the GDPR, in that, social media platforms will be obligated to delete any personal data that was submitted by an individual before they turned 18, should they request it.
The updated DPA, as well as the forthcoming GDPR, have expanded the definition of personal data, although there appears to be some ambiguity about what the new definition includes. In short, the DPA has been updated to facilitate for new types of personal data such as IP addresses, cookies, genetic and biometric data.
Under the new law, it will no longer be possible for organisations to collect personal data without the explicit consent of the data subject. Opt-in statements must be clear, specific, and require some sort of affirmative action. Likewise, if an organisation plans to share personal information with marketing companies, explicit consent must be obtained before doing so.
Sometimes, algorithms are used to “profile” individuals based on their personal data. Such profiling is used to identify individuals based on their health conditions, employment status, wealth, etc. The new DPA will allow individuals to demand that these actions are performed by a human being, as opposed to a computer.
The new law will extend individuals’ rights to enable them to easily move, copy and transfer their personal data across platforms in safe and secure manner. However, data portability is not generally regarded to be an issue that relates to data protection, but a functional requirement for various social media and cloud-based platforms.
Should organisations be concerned about these changes?
As you would expect, there are several concerns and controversies surrounding these new laws. Below are some of the main concerns that have been expressed in response to the GDPR (which also includes the updated DPA):
- Many have claimed that organisations are not ready to comply with such a stringent set of mandates, especially since the penalties for non-compliance are significantly greater than what they were previously.
- Under the GDPR, organisations that process large amounts of personal data will be required to appoint a Data Protection Officer (DPO). However, concerns have been raised about the current shortage of security/privacy experts.
- Implementation of the GDPR (DPA) may put a huge strain on businesses, as most organisations must make significant changes to the way they process sensitive data. Likewise, the potential cost of hiring a DPO will likely be a burden too.
- The GDPR will also require a lot of resources to be enforced.
In order to ensure that your organisation is ready to comply with the updated DPA, you will need to ensure that you are able to answer critical “who, what, where, and when” questions about changes to your sensitive data. LepideAuditor provides IT teams with a comprehensive solution which enables you to detect and respond to interactions with critical data and provide real-time alerts and detailed reports; all of which can be used to satisfy regulatory requirements.